Cyber security

When responding to a cyber security crisis, well-embedded plans and processes are crucial to supporting the business and technical response. But a successful response also strongly relies on a number of human factors. An often small leadership group has to make difficult decisions and provide direction to those relying on them, under pressure and up against a ticking clock.

In contrast to other types of crises, cyber crises are particularly complex due to three characteristics:

• They are often widespread, and their impact traverses geographical boundaries.
• They present a high degree of uncertainty, forcing executive leaders to make difficult decisions without a full understanding of the situation.
• The lifecycle of a cyber crisis continually evolves. This means that the decisions responders make can directly affect how the rest of the situation develops.

The situational pressure that comes with tackling a cyber crisis can trigger a physiological, emotional and cognitive impact on everyone involved. The high degree of stress that crises can generate has a direct effect on the human brain’s ability to think clearly - and therefore on how we react. Below we have laid out how this can affect those involved in responding to a cyber crisis, and why minimising the impact of these responses is crucial to a successful crisis response.

The physiological response

Responding to a cyber crisis activates the ‘fight or flight’ threat circuit in our brains. This can cause strong physiological reactions - including increased heart rate, rising blood pressure, muscle twitching, an influx of adrenaline and even the numbing of senses. For our human instincts, these are all indicators to try to avoid or get out of a situation as quickly as possible. This may lead people to try and come up with the ‘fastest solutions’, rather than considering the wider, long-term impacts of each decision.

In any cyber crisis, the triad of confidentiality (data is protected from unauthorised access), integrity (data is reliable) and availability (data is accessible) presents a challenge for executive decision makers. For example, during an event where an organisation’s systems have been compromised, members of the crisis management team might decide to shut certain applications down. This decision could be made in response to the physiological demand to do something ‘tangible’ to address the problem. But a decision like this may underestimate the operational impact on other business activities.

Similarly, the rush to ‘get things done’ may prevent crisis managers from pausing to assess the less obvious impacts of their decisions. Even if less critical business functions are not the focus of the response, the effect of crisis decisions on them could eventually escalate into more challenging problems if left unaddressed.

The emotional response

The individual response to stressors is different for every person. While some might feel anxious or scared, others tend to show anger or even a sense of denial about the severity of the situation. During a cyber security crisis, these contrasting reactions might hinder responders’ ability to think clearly and agree on the priorities that will drive the response strategy.

Very often, cyber security crises force the business to choose between multiple conflicting priorities. For example, if a cyber attack has affected both the organisation’s ability to pay its staff and its customer facing systems, the crisis team might need to prioritise the allocation of resources to address either problem first. The high stakes of having to choose between two or more undesirable options can trigger ‘decision inertia’. Responders may deliberate for too long - or even fail to act - in the hope of finding a better solution, making the situation worse.

The emotional response to a crisis also has an impact on how responder teams communicate with one another and with other stakeholders. Under pressure, people’s tolerance for operating with limited information, as well as for discerning opinions, tends to exponentially diminish. The likelihood of impulsive reactions increases at a time when clear, direct communication is of utmost importance.

The cognitive response

Stress, fear and high levels of pressures can interfere with our ability to process a crisis situation and therefore hinder objective decisions. Combined with other typical factors when responding to a crisis, this intensifies the brain’s tendency to operate based on unconscious beliefs, affecting a person’s well-rounded understanding of the situation.
The uncertain nature of cyber crises presents an ideal setting for this phenomenon. Responders who are more risk averse by nature might feel reluctant to make decisions and can spend too much time trying to obtain more information. This may inadvertently allow the cyber crisis to escalate as a result of inaction. Others might experience the opposite, making rushed decisions based on an exaggerated sense of confidence. And some may fall into ‘catastrophic thinking’, believing nothing can be done to resolve the crisis.

Anticipating the human factors is key to an effective cyber crisis response

There’s no simple formula to avoiding the stress brought on by a cyber crisis. But just as crisis management plans allow organisations to rely on pre-agreed response processes, there are actions you can take to minimise the impact of physiological, emotional and cognitive responses.

1. Develop self awareness of your own response tendencies and leadership style under stress: Crisis managers can benefit from reflecting on their own reactions when operating under pressure. Gaining experience, either individually or as part of facilitated training and coaching sessions, so you can identify and anticipate your own potential vulnerabilities will provide useful preparation and reduce unexpected reactions.
2. Acknowledge the critical role of wellbeing: crisis management is often misperceived as a discipline characterised by a default state of constant chaos. However, performing effectively during a crisis greatly depends on the resilience that crisis responders build outside of the crisis room. While the definition of wellbeing is different for each person, cultivating proactive resilience (healthy body and healthy mind) is a key common denominator amongst the most effective crisis responders.
3. Plan for the availability of resources in advance: the combination of multiple workstreams and a finite number of resources is the most common cause of burnout amongst responders within the first few days of a cyber crisis. You can reduce this risk by developing and maintaining a robust crisis management plan that includes contingency resourcing considerations. This may take the form of a rota or third party support that can be called on at short notice. By addressing the potential constraint of resources as part of your cyber crisis planning, you can maximise the effectiveness of your response.

Responding to a cyber crisis inevitably involves a degree of stress. However, acknowledging the human reactions that responders may experience should be part of any organisation’s crisis planning. No matter how sophisticated a cyber attack may be, an effective response will ultimately depend on your people, and their ability to think clearly and strategically.

Get in touch with the Crisis Team to find out how we can help your crisis response strategy and support decision makers be prepared to respond to any type of crisis.

At Womxn in Cyber, we are always looking for opportunities to uplift and celebrate the many success stories of our colleagues within the business and beyond. This year, we launched our ‘Inspirational Womxn’ series in the run up to International Women's Day to do exactly that. We ran a number of events to shine a light on our inspirational colleagues, be that via nominations for the ‘Inspiring Womxn Awards’ or by collaborating with the Gender Balance Network on the ‘Lessons to my 20 year old self’ event.

On 23 February, we hosted the latest installment of this series, with over 100 colleagues in attendance for the livestream. Our panel comprised of both PwC UK and external colleagues who excel in their field. The speakers came from a diverse range of backgrounds, including careers within financial services, work surrounding the behavioural motivations of cyber crime, cyber security transformation and consultancy services, as well as a technology innovation lead responsible for informing board decisions when investing in technology.

The panelists each reflected on their journey, from stories about Ibiza’s sunny shores to the challenge of imposter syndrome when starting a new position. One speaker gave an example of a career coach who attempted to dissuade her from pursuing a more hands-on technology career. She decided to ignore this advice and proceeded to develop a successful career in tech. Having the skill to take ownership of your own journey and discern whether a piece of feedback rings true stood out as an important lesson from the session.

The discussion concluded with an emphasis on the need for women to lift other women up. Whether this is through the creation of mutual mentoring opportunities or the development of new networks or forums to share stories and ideas, the collective aim to cultivate more female role models within the world of cyber and technology is a powerful motivation and something to be strived for.

In line with this goal, we have updated our name in reflection of our aim to welcome all individuals, including anyone identifying as a woman. We began this initiative with a goal of promoting and celebrating women within our industry and achieving gender equality. Embedding inclusivity in everything we do is a key part of achieving that goal. 2020 has shown us that only by coming together can we tackle some of the most complex challenges our society is facing.

If you would like to find out more about the next event in our Inspirational Womxn series, or get involved with the broader Womxn in Cyber group, please contact us.